As WorkHands continues to expand the type of clients it serves in the apprenticeship space, one question often came up from various IT partners, "Are you SOC 2 Type II certified?".
We're happy to say we are.
Maybe you're not IT and have no idea what we're talking about. Or, maybe you have a friend who doesn't understand what we're talking about? Lucky you (or them)! One of WorkHands core values is to Always Be Learning so here's what we'd tell them. A SOC 2, or System and Organization Controls 2, is a security compliance framework that helps organizations protect customer data from unauthorized access and other vulnerabilities. This includes 80 controls that the organization must meet in order to be certified in the following categories:
Control Environment
Communication and Information
Risk Assessment
Monitoring Activities
Control Activities
Logical and Physical Access Controls
System Operations
Change Management
Risk Mitigation
Supporting Compliance Documentation.
What are these controls exactly? They're questions like, do you do employee background checks? Do you have policies in place for employee conduct, disaster recovery, security, etc.? Do you have well defined roles and responsibilities? Do you log access to your infrastructure? Scan your code for vulnerabilities? Do you communicate system changes? Have service level agreements (SLAs)? Review outside vendors for risk assessments? Have you done Penetration Tests of your infrastructure? Do you handle onboarding and offboarding with the necessary access updates for employees in a timely fashion? Do you maintain separate environments? Encryption? Restrict access to databases and networks? Firewalls? And on, and on. This framework was established by the American Institute of Certified Public Accountants (AICPA) and requires a third party auditor to confirm the organization is in compliance with every control in the standard.
Great question. WorkHands uses Vanta to monitor WorkHands infrastructure, ensure compliance with policies, and alert us if ever any of our controls need to be addressed. Once all controls are met, WorkHands worked with a third party auditor, Johanson LLP, to confirm. Finally, this isn't a one-person issue at WorkHands. Compliance touches every member of the organization. Every employee goes through security training, reviews policies annually. Key staff are on alert for updates to HR or IT controls. Much like apprenticeship, this only works well when its fully embedded into the organization -- not just tacked on.
If you're in the market for simpler apprenticeship tracking, sign up for a demo and we can both take you through the application and share our full SOC 2 report with you. If you're already working with us, simply send over a request to support, and they can get you a copy as well.